diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 694eb08ae1aa..26d15a973c28 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -353,7 +353,7 @@ extern void esp4_ctlinput(int cmd, struct sockaddr *sa, void *); extern int ipcomp4_input(struct mbuf **mp, int *offp, int proto); extern int ipsec4_common_input(struct mbuf *m, ...); extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff, struct m_tag *mt); + int skip, int protoff); extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *, int, int); extern int ipsec_process_done(struct mbuf *, struct ipsecrequest *); diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index 5179939a7708..38ac1144cb7e 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -64,7 +64,7 @@ extern int ipsec6_in_reject(struct mbuf *, struct inpcb *); struct m_tag; extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff, struct m_tag *mt); + int skip, int protoff); extern void esp6_ctlinput(int, struct sockaddr *, void *); extern int ipsec6_process_packet(struct mbuf *, struct ipsecrequest *); #endif /*_KERNEL*/ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 2c133c797fe7..86cc5b532e8f 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -317,8 +317,8 @@ ipcomp4_input(struct mbuf **mp, int *offp, int proto) * the processed packet. */ int -ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff, struct m_tag *mt) +ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, + int protoff) { int prot, af, sproto, isr_prot; struct ip *ip; @@ -475,13 +475,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* * Record what we've done to the packet (under what SA it was - * processed). If we've been passed an mtag, it means the packet - * was already processed by an ethernet/crypto combo card and - * thus has a tag attached with all the right information, but - * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to - * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. + * processed). */ - if (mt == NULL && sproto != IPPROTO_IPCOMP) { + if (sproto != IPPROTO_IPCOMP) { mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { @@ -500,9 +496,6 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, tdbi->alg_enc = sav->alg_enc; m_tag_prepend(m, mtag); - } else if (mt != NULL) { - mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; - /* XXX do we need to mark m_flags??? */ } key_sa_recordxfer(sav, m); /* record data transfer */ @@ -619,8 +612,8 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto) * filtering and other sanity checks on the processed packet. */ int -ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, - struct m_tag *mt) +ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, + int protoff) { int prot, af, sproto; struct ip6_hdr *ip6; @@ -764,13 +757,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* * Record what we've done to the packet (under what SA it was - * processed). If we've been passed an mtag, it means the packet - * was already processed by an ethernet/crypto combo card and - * thus has a tag attached with all the right information, but - * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to - * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. + * processed). */ - if (mt == NULL && sproto != IPPROTO_IPCOMP) { + if (sproto != IPPROTO_IPCOMP) { mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { @@ -789,10 +778,6 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto tdbi->alg_enc = sav->alg_enc; m_tag_prepend(m, mtag); - } else { - if (mt != NULL) - mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; - /* XXX do we need to mark m_flags??? */ } key_sa_recordxfer(sav, m); diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 31ad7e9a0113..292dba2d66d0 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -812,12 +812,12 @@ ah_input_cb(struct cryptop *crp) switch (saidx->dst.sa.sa_family) { #ifdef INET6 case AF_INET6: - error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec6_common_input_cb(m, sav, skip, protoff); break; #endif #ifdef INET case AF_INET: - error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec4_common_input_cb(m, sav, skip, protoff); break; #endif default: diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index b0c04ab070b7..cc959966fa4b 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -597,12 +597,12 @@ esp_input_cb(struct cryptop *crp) switch (saidx->dst.sa.sa_family) { #ifdef INET6 case AF_INET6: - error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec6_common_input_cb(m, sav, skip, protoff); break; #endif #ifdef INET case AF_INET: - error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec4_common_input_cb(m, sav, skip, protoff); break; #endif default: diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 17c4f349fa30..e7035cb63c06 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -309,12 +309,12 @@ ipcomp_input_cb(struct cryptop *crp) switch (saidx->dst.sa.sa_family) { #ifdef INET6 case AF_INET6: - error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec6_common_input_cb(m, sav, skip, protoff); break; #endif #ifdef INET case AF_INET: - error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + error = ipsec4_common_input_cb(m, sav, skip, protoff); break; #endif default: